fix: improve key rotation (#1107)

* key rotation * fix: rotate signing key * cleanup * introspect * testingapplication key * date * client keys * fix client keys * fix client keys * access tokens only for users * AuthMethodPrivateKeyJWT * client keys * set introspection info correctly * managae apis * update oidc pkg * cleanup * merge msater * set current sequence in migration * set current sequence in migration * set current sequence in migration * ensure authn keys uptodate * improve key rotation * fix: return api config in ApplicationView * fix mocks for tests * fix(mock): corrected unit tests for updated mock package Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-12-08 00:22:05 +00:00 · 2021-02-23 15:07:42 +01:00
parent 16a47c6542
commit f60d200d5a
34 changed files with 590 additions and 433 deletions
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -17,6 +17,7 @@ import (
 	es_spol "github.com/caos/zitadel/internal/eventstore/spooler"
 	es_iam "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/id"
+	key_model "github.com/caos/zitadel/internal/key/model"
 	es_key "github.com/caos/zitadel/internal/key/repository/eventsourcing"
 	es_org "github.com/caos/zitadel/internal/org/repository/eventsourcing"
 	es_proj "github.com/caos/zitadel/internal/project/repository/eventsourcing"
@@ -83,6 +84,7 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 		return nil, err
 	}

+	keyChan := make(chan *key_model.KeyView)
 	key, err := es_key.StartKey(es, conf.KeyConfig, keyAlgorithm, idGenerator)
 	if err != nil {
 		return nil, err
@@ -112,7 +114,9 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 	org := es_org.StartOrg(es_org.OrgConfig{Eventstore: es, IAMDomain: conf.Domain}, systemDefaults)

 	repos := handler.EventstoreRepos{UserEvents: user, ProjectEvents: project, OrgEvents: org, IamEvents: iam}
-	spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, repos, systemDefaults)
+	spool := spooler.StartSpooler(conf.Spooler, es, view, sqlClient, repos, systemDefaults, keyChan)
+
+	locker := spooler.NewLocker(sqlClient)

 	return &EsRepository{
 		spool,
@@ -150,9 +154,13 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 			View:          view,
 		},
 		eventstore.KeyRepository{
-			KeyEvents:          key,
-			View:               view,
-			SigningKeyRotation: conf.KeyConfig.SigningKeyRotation.Duration,
+			KeyEvents:                key,
+			View:                     view,
+			SigningKeyRotationCheck:  conf.KeyConfig.SigningKeyRotationCheck.Duration,
+			SigningKeyGracefulPeriod: conf.KeyConfig.SigningKeyGracefulPeriod.Duration,
+			KeyAlgorithm:             keyAlgorithm,
+			Locker:                   locker,
+			KeyChan:                  keyChan,
 		},
 		eventstore.ApplicationRepo{
 			View:          view,